Why banks can no longer settle for ‘minimum security requirements’

Posted on August 15th, 2017

If minimum security requirements are what financial institutions are aiming for, we as an industry are doing it wrong. The security of our customers’ private information and cash should be our greatest focus.

As banks realize the inevitable transition from the physical plastic card to a more secure, convenient and easier to deploy and issue digitized format, security remains at what the banks and the card schemes officially call a “minimum requirement”.

Also with the advent of yet another significant breakthrough in mobile point-of-sale systems, called PIN on Glass, where the technology will enable the secure entry of a financial PIN on a regular Android device screen, the industry remains exposed. This creates a lack of trust in digitization that can really impede adoption.

The risks of doing the bare minimum

One great example of this is an eATM breach earlier this year that few in the industry are talking about. Other examples include attempts to allow PIN entry on mobile devices with minimal protection, which can create serious problems for the industry

In both cases I mentioned above, the banks have shown a healthy dose of innovation risk adoption, yet they have overlooked better and more modern security solutions just because they trust some of their legacy concepts.

The fintech industry is driving security innovations that will be applied in industries like aerospace and connected cars, so it is important that fintech plays more of a smart adapter role, rather than the guinea pig. As a result, we need to do much better at what the industry calls its minimum security requirement.

One of the glaring problems of adhering to minimum security deployment is that we are not yet at the stage where our IoT devices are transacting or where AI is conducting all transactions on our behalf. It may look like we are getting there quickly, however despite all the progress and all the innovation summits and demo days and blockchain discussions that financial institutions are engaged in, many of our digital transactions still rely on near primitive concepts.

The need for a new business model

This “innovation” phenomenon is not new, but it may be novel in our industry. While Silicon Valley’s model is designed around the idea that only one in 10 startups is likely to succeed, banks should be aware that this model cannot be copied as is.

We need only look to the music industry to see how it transitioned from purely brick and mortar to digital, while concurrently embracing mobile commerce over the course of a decade. Despite the growing pains, it embraced a business model designed to keep the music industry sustainable.

Taking this model to digital, mobile, and soon IoT, banking can reduce many of the security pain points. In embracing this approach, CSOs don’t need to be more conservative and should embrace new and proven security concepts rather than feeling comfortable with tried and true legacy concepts.

So what do we do? As Thomas Merton famously said, “The biggest human temptation is to settle for too little.” There is already real innovation that has been proven, especially in software security. Real innovation requires us to step away from minimum security requirements – which is really a code word for legacy pre-iPhone era technologies – and jump into deploying real and gutsy new technologies that are practical today. We still have enough time to discuss using the blockchain ledger for space travel ticketing before we have to deploy it.

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Banking.com or NCR Corporation.

Image credit: iStock/fivepointsix

Written by Sam Shawki

Sam is Founder and CEO of MagicCube, which secures large deployment for tokenized transactions, and secure financial PIN entry on any Android, iOS and IoT devices.